Beginner Question on Logins / User Roles

Hi everyone - I have a question on user roles. I’m not a developer so please bear with me if some of these are basic!

I have a freemium, subscription-based web app. To manage the access levels (free and full), we use a user role within Auth0. Once the user’s subscription expires, the “full” user role is deleted. At that point, their access should revert to the basic “free” tier.

The problem I’m running into is that even if the user role is deleted, they still have full access. For the access level to update, they have to log out, then log back in again. In theory, this means people could access my “full” tool for months without paying, as long as they didn’t log out.

My developers are saying that Auth0 can’t force logouts, which makes sense. But is there something else that can be done to avoid this issue? I feel like this is pretty basic functionality, so if there’s something obvious that me or my developers are missing, I’d love to hear about it.

Thank you so much for taking a look at this!

Hi @mcod83kpaf78,

Welcome to the Auth0 Community!

This is likely due to Access Token Lifetimes.

An access token defines what resources a user can access. These tokens cannot be revoked once issued, and only become invalid once they expire.

For example, a token that was issued with a 30 day lifetime would allow a user to access those resources for 30 days, regardless to what changes you made to their permissions/roles or profile.

In order to solve for more immediate changes, we recommend shortening access token lifetimes. A 5 minute lifetime would mean that a new token (with updated permissions/roles) must be requested after 5 minutes. This means that any changes to user data will be reflected within 5 minutes of the changes being made.

Forcing logout does not invalidate the existing token, and a savvy user could easily hold on to that token, even if they were forced to log out and request a new token. This is why you should use a short token lifetime, vs. forcing logout.

Does that make sense?

1 Like

Thank you so much for this detailed response, Dan! This makes perfect sense, I will test this out :slight_smile:

1 Like

No problem! Let me know if you have any questions about it.

A post was split to a new topic: Laravel Session Persistance

Moved to seperate thread: off topic.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.